PLACEHOLDER FOR WORK THAT MAY NEVER BE DONE - PREVIEW ONLY

Query Reference Time

When given 0x19 as its FunctionCode argument, the NtTraceControl function queries a given logger for its reference time. Microsoft’s name for this function code is not known. This note deals only with the function’s behaviour that is specific to this function code. The function’s general behaviour is here taken as assumed knowledge.

The meaningful input is a 16-bit logger ID, but it must be presented as 32 bits. The expected output is the ReferenceTime from the logger’s WMI_LOGGER_CONTEXT. If the input buffer is not exactly 4 bytes or the output buffer does not allow for exactly the 0x10 bytes of an ETW_REF_CLOCK, the function returns STATUS_INVALID_PARAMETER. If the input does not select a running logger, the function returns STATUS_WMI_INSTANCE_NOT_FOUND.

TO BE DONE?

This page was created on 22nd April 2020 from material first published on 31st December 2018. It was last modified on 28th May 2020.

Copyright © 2018-2020. Geoff Chappell. All rights reserved. Conditions apply.